Jason Downs wrote:
>
> BSDI login classes are just about the ugliest thing I've ever had the
> misfortune to deal with as a sysadmin. AIX even manages to be cleaner
> then that.
Is there any public documentation on BSDI login classes? I don't have
access to a BSDI machine.
> NetBSD should just switch over to nsswitch.conf, which provides at least
> the basic notion of being able to configure what name service/authentication
> scheme is being used. Login classes would be a mistake.
nsswitch.conf is great for name service, but for specifying
authentication type? I don't think so. You'd have to really stretch it
to do what I want to do. I'm talking about something akin to the
logdaemon login.access file, but more powerful.
Anyway, let's corss that bridge when we come to it :-). I want to solve
the fbtab issue first, since it's simpler and separate.
Please consider the following proposal:
A new function in libutil:
int login_fbtab(char *tty, uid_t uid, gid_t gid, int login);
Function returns 0 on success, -1 on error with errno = reason.
(side topic: should there be a header file for libutil?)
tty is the tty name, uid and gid are those of the user logging in, login
is nonzero if the function is being called to set up permissions for
login, 0 for cleaning up (logout).
The function processes the file /etc/fbtab, which has the following
format:
fields are separated by TAB and/or SPACE characters. Comments begin with
# and continue to end of line. Blank lines are allowed, and a
comment-only line is considered blank.
Three formats of entries are allowed. All matching entries are run.
Format one:
tty [login|logout] user group mode devs
The fields are:
tty: name of console tty. If this field doesn't match the tty the user is
loggin in (out) on, ignore the line. "*" means "any tty not matched yet".
login|logout: the literal string "login" or "logout" (without quotes).
The line is ignored if the string doesn't indicate the kinf of activity
that is currently happening.
user: the user (name or uid) to change ownership of devs to. "." (a
period, no quotes) means "the user who is logging in (out)". "-" (dash,
no quotes) means "do not change".
group: the group (name or gid) to change ownership of devs to. "."
means "the primary gid of the user who is logging in (out)". "-" (dash,
no quotes) means "do not change".
mode: the ownership mode to change the devices to. "-" means "no change".
devs: a colon-seperated list of devices to change the ownership of.
Example usage:
/dev/console login . . 0600 /dev/kbd:/dev/mouse:/dev/audio
/dev/console logout root wheel 0600 /dev/kbd:/dev/mouse:/dev/audio
Entry type two:
tty login|logout /program/name [args]
tty and login|logout: as above
/program/name: name of program (or script) to run. The script will
receive the name of the currently logging in (out) user as LOGNAME in
the environment. the rest of the line (or up until a #), if any, will
be passed to the program as argv[1].
Entry type three (Backwards compatability with traditional fbtab):
tty mode devs
is equivalent to the two type-1 lines:
tty login . . mode devs
tty logout root wheel 0600 devs
Questions:
Is this sufficient?
Is this too much?
Is the "*" tty support needed (my feeling is probably not)?
Is the "-" no-change support needed (my feeling is it might be)?
Is the escape-to-an-external-script-or-binary (entry type 2)
support needed (my feeling is it might be)?
Anything else that should be changed?